WordPress Plugin Vulnerabilities

Page Builder: PageLayer - Drag and Drop website builder < 1.1.2 - CSRF leading to XSS

Description

A flaw allowed attackers to forge a request on behalf of a site’s administrator to modify the settings of the plugin which could allow for malicious Javascript injection.

Proof of Concept

Affects Plugins

Plugin icon
pagelayer
Fixed in 1.1.2

References

CVE
CVE-2020-35944
URL
https://www.wordfence.com/blog/2020/05/high-severity-vulnerabilities-in-pagelayer-plugin-affect-over-200000-wordpress-sites/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
https://wordfence.com
Submitter twitter
infosecchloe
Verified
No
WPVDB ID
e0bf6d19-d6a4-4945-8454-950419f1efdd

Timeline

Publicly Published
2020-05-28 (about 5 years ago)
Added
2020-05-28 (about 5 years ago)
Last Updated
2021-01-03 (about 5 years ago)

Other

Published
Title
Published
2022-09-28
Title
Booking Ultra Pro < 1.1.7 - Stored Cross-Site Scripting via CSRF
Published
2024-04-10
Title
AppPresser < 4.3.1 - Cross-Site Request Forgery via force_logging_off()
Published
2025-10-10
Title
Web Accessibility By accessiBe < 2.11 - Cross-Site Request Forgery
Published
2025-04-30
Title
NewsBlogger < 0.2.5.5 - Cross-Site Request Forgery to Arbitrary Plugin Installation
Published
2024-03-19
Title
Woomotiv < 3.5.0 - Review Count Reset via CSRF